Further guidance on reading and verifying Django generated passwords with OAuth2/passlib.

[jheim5]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

*No Code to Show

Description

This is a request for further guidance or resources around a 'Tip' provided in the Security OAuth2 tutorial.
Following the OAuth2 security tutorial, I see the tip where you can read/verify django generated passwords and I'm failing to find more resources around being able to do this.

Basically my goal is to have my FastAPI application share user authentication with a separate django site which uses the default built-in authentication. Users are expected to use the FastAPI app programmatically and not have any UI for setting up authentication. So my thought is that they would pass in their credentials in a form or some secure manner along with the other parameters of the request.

My assumed steps:

1. Take user passed in credentials and send an API call to the Django backend for a list of users and their hashed passwords.
2. If there is a username match, run a passlib function over the django hashed password and user supplied password.
3. If their is a match or they are somehow confirmed to be equal, then allow the request to proceed with processing user supplied param data.

Any help or guidance on whether these steps are in the right direction or added suggestions is greatly appreciated!

Operating System

Linux

Operating System Details

No response

FastAPI Version

0.87.0

Python Version

python 3.10

Additional Context

No response

[jheim5]

I may have found a partial answer to my inquiry.

I found out how to verify a user provided password with one generated by django with this confirmed SO answer.

from passlib.apps import django_context
hash = 'pbkdf2_sha256$20000$3RFHVUvhZbu5$llCkkBhVqeh69KSETtH8gK5iTQVy2guwSSyTeGyguxE='
user_input = 'password'
django_context.verify(user_input, hash)

With that piece out of the way, are my steps a valid way to proceed or is that not a secure means to verify a user?

Thank you.

[jheim5]

Closing as I believe my question is no longer relevant to FastAPI specifically but to REST API security in general.